Contrib.social
Created on 10 August 2023, 11 months ago
Updated 29 February 2024, 4 months ago

Problem/Motivation

When the actual server is behind a loadbalancer or any other machine, crowdsec bans that server thus making the site unreachable.

Proposed resolution

Add a whitelist option to add ip addresses.

✨ Feature request
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ΉπŸ‡·Turkey RgnYLDZ

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @RgnYLDZ
  • Comment 11 months ago β†’
    πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    Thanks for reaching out. However, I'm not sure I can follow you on this. Do you mean that when bad requests are coming in that Drupal reports the IP address of your load balancer (i.e. the proxy) to CrowdSec? Don't think that's the case if the Drupal site is configured correctly. There are reverse proxy settings to be made which allow Drupal to see the real IP address of the user who's making the request, and then that IP address is reported to CrowdSec, not the one of your load balancer. Or am I missing something?

  • Comment 7 months ago β†’
    πŸ‡ΉπŸ‡·Turkey Kartagis Istanbul

    @jurgenhaas this happens to me as well. We could make a form to enter IPs individually (not ideal, but works) and/or make a button for administrators to exempt them from the ban.

  • Comment 7 months ago β†’
    πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    @Kartagis which IPs do you want to put into such a list? As I mentioned in #2, the proxy addresses don't have to be configured there, because if the Drupal site is configured correctly in the first place, Drupal will know the correct IP of the client and ban that one instead of the proxy.

  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States websiteworkspace

    Many related modules have IP address whitelist entry features.
    It is absolutely imperative that this module have an IP address whitelist management feature.
    No drupal site builder wants to get IP banned from their own website while working on it.
    -
    When this module IP banned me, I was fortunately, able to quickly pop into my VPN (generating a fresh IP address) and was then able to remove the erroneous IP ban the drupal IP ban module list.

  • Comment 4 months ago β†’
    πŸ‡ΉπŸ‡·Turkey Kartagis Istanbul

    @jurgenhaas active user's IP could be there.

  • Comment 4 months ago β†’
    πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    If anything, this would be called an allowlist. We don't want to use anything black and white.

    The original post in this issue was about an issue with reverse proxy IP addresses, which must have been misconfigured; otherwise that wouldn't have happened.

    The new use case brought up in #5 is about internal users who should be allowed to request invalid URLs. I can't follow that logic. If something like that happens unintentionally on a website to admins or editors, then something with that site is entirely wrong and should be fixed.

    If this happens in a local or a test environment, then it's not recommended to have CrowdSec enabled there. This is a module to protect live sites. In other environments it should be disabled.

  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States websiteworkspace

    The terms - allow-list - and - ban-list - seem appropriate.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024